Re: [PATCH 0/4] Fix misused kernel_read_file() enums
From: Mimi Zohar
Date: Tue Jul 07 2020 - 11:38:02 EST
Hi Kees,
On Tue, 2020-07-07 at 01:19 -0700, Kees Cook wrote:
> Hi,
>
> In looking for closely at the additions that got made to the
> kernel_read_file() enums, I noticed that FIRMWARE_PREALLOC_BUFFER
> and FIRMWARE_EFI_EMBEDDED were added, but they are not appropriate
> *kinds* of files for the LSM to reason about. They are a "how" and
> "where", respectively. Remove these improper aliases and refactor the
> code to adapt to the changes.
Thank you for adding the missing calls and the firmware pre allocated
buffer comment update.
>
> Additionally adds in missing calls to security_kernel_post_read_file()
> in the platform firmware fallback path (to match the sysfs firmware
> fallback path) and in module loading. I considered entirely removing
> security_kernel_post_read_file() hook since it is technically unused,
> but IMA probably wants to be able to measure EFI-stored firmware images,
> so I wired it up and matched it for modules, in case anyone wants to
> move the module signature checks out of the module core and into an LSM
> to avoid the current layering violations.
IMa has always verified kernel module signatures. ÂRecently appended
kernel module signature support was added to IMA. ÂThe same appended
signature format is also being used to sign and verify the kexec
kernel image.
With IMA's new kernel module appended signature support and patch 4/4
in this series, IMA won't be limit to the finit_module syscall, but
could support the init_module syscall as well.
>
> This touches several trees, and I suspect it would be best to go through
> James's LSM tree.
Sure.
thanks!
Mimi